CVE-2025-26695Observable Discrepancy in Mozilla Thunderbird

CWE-203Observable Discrepancy9 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 87.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedMar 10
Latest updateJul 22

Description

When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.8 | Impact: 3.4

Affected Packages2 packages

NVDmozilla/thunderbird129.0136.0+1
Debianmozilla/thunderbird< 1:128.8.0esr-1~deb11u1+3

🔴Vulnerability Details

3
OSV
CVE-2025-26695: When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the reque2025-03-10
GHSA
GHSA-29qq-gf32-fj2m: When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the reque2025-03-10
CVEList
Downloading of OpenPGP keys from WKD used incorrect padding2025-03-10

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
thunderbird: Downloading of OpenPGP keys from WKD used incorrect padding2025-03-10
Debian
CVE-2025-26695: thunderbird - When requesting an OpenPGP key from a WKD server, an incorrect padding size was ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-18: CVE-2025-26695
Mozilla
Mozilla Foundation Security Advisory 2025-17: CVE-2025-26695
CVE-2025-26695 — Observable Discrepancy in Mozilla | cvebase